SecKeychainItemCopyContents is segfaulting on private keys

266 views Asked by At

I'm using this code to list all private keys and get some info about them, using Apple's security framework API:

int main(int argc, const char * argv[]) {
    const void *keys[]   = { kSecClass,    kSecReturnRef,   kSecMatchLimit,    kSecAttrKeyClass};
    const void *values[] = { kSecClassKey, kCFBooleanTrue,  kSecMatchLimitAll, kSecAttrKeyClassPrivate};

    CFDictionaryRef searchDict = CFDictionaryCreate(
        NULL,
        keys, values, sizeof(keys) / sizeof(keys[0]),
        NULL, NULL
    );
    checkAlloc(searchDict);

    CFArrayRef items;
    check(SecItemCopyMatching(searchDict, (CFTypeRef *)&items));

    for(int i=0; i<CFArrayGetCount(items); i++) {
        SecKeychainItemRef item = (SecKeychainItemRef) CFArrayGetValueAtIndex(items, i);

        CFShow((CFTypeRef)item);

        SecItemClass cls;
        SecKeychainAttributeList attrs;
        UInt32 dataLen;
        void* data;

        check(SecKeychainItemCopyContent(item, &cls, &attrs, &dataLen, &data));

        printf("Key: %d\n", (int)dataLen);

        check(SecKeychainItemFreeContent(&attrs, data));
    }

    CFRelease(items);
    CFRelease(searchDict);

    return 0;
}

The call to SecKeychainItemCopyContent segfaults, even though none of the pointers I've been passing in are invalid.

The CFShow prints lines similar to <SecKey 0x7fb4d9d01420 [0x7fff74790ed0]>, so item should be a SecKeyRef, but the documentation for it says that it's OK to use a SecKeyRef as a SecKeychainItemRef if the key is in a keychain. However, I don't see any functions to find if the key is in a keychain, so I can't validate that the returned keys can be used as such.

What am I doing wrong here?

2

There are 2 answers

1
Eric Tsui On BEST ANSWER

To copy the data and/or attributes stored in the given keychain item, the 3rd parameter of function SecKeychainItemCopyContent() is SecKeychainAttributeList *attrList with type like,

  struct SecKeychainAttributeList
  {
    UInt32 count;
    SecKeychainAttribute *attr;
  };

For this IN/OUT param attrList: On input, it's the list of attributes that you request to retrieve. On output, the attributes are filled in. Pass NULL if there is no need to retrieve any attributes, or pass an attribute list that you need to get. It should be either of these two mentioned pass in arguments. Leave it uninitialized could cause problem, like segfaulting.

So, please try like this, it should work well.

SecKeychainAttributeList attrs = {0, NULL};
//...  
check(SecKeychainItemCopyContent(item, &cls, &attrs, &dataLen, &data));

or

//SecKeychainAttributeList attrs ;
//... 
check(SecKeychainItemCopyContent(item, &cls, NULL, &dataLen, &data));
printf("Key: %d\n", (int)dataLen);
check(SecKeychainItemFreeContent(NULL, data));

In case there was a need to get attributes list, the sample code could be as follows,

 SecKeychainAttributeList xlist;
 SecKeychainAttribute outList[] = 
 {
    {kSecAddressItemAttr,},
    {kSecAccountItemAttr,},
    {kSecVolumeItemAttr,},
    {kSecProtocolItemAttr}
 };

 xlist.count = sizeof(outList)/sizeof(outList[0]);
 xlist.attr = outList;

 //...
 err = SecKeychainItemCopyContent (itemRef, nil, &xlist, &len, &outData);
 //...
0
Colonel Thirty Two On

Apparently, the SecKeychainAttributeList parameter is not just an output. It's also an input containing the attributes to get.

SecKeychainAttributeList dereferenced the uninitialized attrs->attr pointer and crashed. Initializing the pointer to NULL fixes the issue.